Sqrrl Blog

Jul 16, 2015 9:30:00 AM

Cyber Incident Matrix: IRS Breach

Severity Score: 3
Complexity Score: 4
How did we get these numbers?

Incident Summary

  • What was breached: IRS Database of Taxpayer Information

  • Delivery: February-May, 2015

  • The Attackers:  Undisclosed “sophisticated enemies” originating in Russia

Overview:

On May 26th, 2015, the United States Internal Revenue Service (IRS) announced that the personal information of over 100,000 American taxpayers was stolen from “Get Transcript,” a service provided by the IRS that allowed taxpayers to get a transcript of their past tax activities. These transcripts were then used to file fraudulent tax returns in the name of the victims. Currently, the culprit is unknown to the public, though the IRS has indicated the attackers were Russian in origin.

Sqrrl_Cyber_Incident_Matrix_IRS    OPM Breach     IRS Breach

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated

Zero-Days Used

Time  Undetected

Advanced TTPs

Total

1

1

0

0

1

1

4

The undisclosed attackers’ methods for obtaining sensitive information began when they were able to answer security questions using pre gathered data, such as social security numbers, giving them access to even more sensitive information. Although it’s not known how the attackers received this initial information, the IRS suspects that the information was purchased on the black market, based on their persona as an organized crime syndicate.

According to IRS Commissioner Koskinen, it was determined that “a total of approximately 200,000 suspicious attempts to gain access to taxpayer information on the Get Transcript application had been made between mid-February and mid-May. About 100,000 of the attempts were unsuccessful, with the parties making these attempts unable to work their way through the protections in place.” In mid-May of this year, the IRS experienced what they thought to be a DDoS attack on their servers, transmitted across the Get Transcript application. However, a more thorough inspection revealed that there had been over 200,000 fraudulent requests in Get Transcript, half of which returned sensitive information to the criminals.

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact

Total

3

0

0

0

3

Fortunately, the information held by Get Transcript is kept separate from the IRS’ main database of taxpayer information. The Get Transcript service has been shut down until security experts in the IRS can patch up holes in its integrity. However, the IRS estimates that around $39,000,000 in fraudulent returns were issued as a result of this data breach. This comes in addition to the 100,000 taxpayers who now have more of their personal data being sold and used for illicit activities,  bringing the total cost, at a value of $154 per compromised record, into the range of $54,400,000.

Cybersecurity Analytics

Topics: Cybersecurity, Breach Detection, Data Breach